5

As of version 8 (later backported to 7.3), GCC has added retpoline support [0]. While I understand that it is intended[citation needed] for use in kernel patching for Spectre (ie: [1][2]), that does not prevent normal developers from using those flags.

As such, should I use the flags for retpoline (-mindirect-branch, -mfunction-return, and related)?

For example, I have written a cryptographically-secure password generation program in C [3]. When I compile using -mindirect-branch=thunk -mfunction-return=thunk, the resulting binary is different than without using those flags, presumably from the switch between call and jump to call and return thunk. Is there any reason for doing this, or any benefits from a security perspective?

esote
  • 371
  • 2
  • 12
  • 2
    I believe it is acceptable and recommended to use it for userspace, at least when the performance impact is acceptable. – forest May 21 '18 at 04:47
  • [Answer at StackOverflow](https://stackoverflow.com/a/53435462/3648282). It will introduce a performance hit in the program, and since the OS is fixed compiling user code with the switches should be unnecessary (but possible). – Rob Nov 22 '18 at 17:01

1 Answers1

4

There is a benefit from doing this. These options enabled retpoline to mitigate Spectre V2. This is important in programs which handle sensitive or confidential data where the variable performance impact is not a concern. The binary is different because return trampolines are being added to the code.

The second flag, -mfunction-return, is required on Skylake+ processors as they are additionally vulnerable to attacks against the branch target buffer (BTB) that return prediction may use as a fallback.

forest
  • 64,616
  • 20
  • 206
  • 257